8 matches found
CVE-2026-33582
The CVE-2026-33582 issue affects Apache Answer up to version 2.0.0, where a crafted TIFF image can trigger excessive memory allocation during decoding, allowing an authenticated user to crash the server process. Upgrade to version 2.0.1 to fix the issue. The reported CVSS vector indicates MEDIUM ...
CVE-2026-25699
CVE-2026-25699 applies to Apache Answer up to version 2.0.0, where timeline-related APIs lacked proper authorization checks. This could allow regular authenticated users to access deleted, private, or unapproved content and its revision history. The issue is addressed by upgrading to version 2.0....
CVE-2026-25700
CVE-2026-25700 relates to Apache Answer prior to version 2.0.1, where administrative tokens issued before an admin account was suspended, deleted, or deactivated were not invalidated. This allowed continued access to administrative APIs until those tokens expired. Affected product: Apache Answer ...
CVE-2026-34031
CVE-2026-34031 concerns Apache Answer up to version 2.0.0, where the server fails to validate user-supplied image URLs used for profile avatars. This allows embedding arbitrary external content as avatars, potentially enabling unintended external requests and tracking by third-party servers. A fi...
CVE-2026-34905
CVE-2026-34905 affects Apache Answer up to version 2.0.0. The issue arises from the unlisted question feature not enforcing access restrictions on direct API endpoints, permitting authenticated users to discover and access unlisted questions, their answers, comments, and revision history. Upgrade...
CVE-2026-25688
CVE-2026-25688 describes an XSS vulnerability in Apache Answer. The issue is an improper neutralization of alternate XSS syntax in AI-generated responses rendered in the browser, affecting Apache Answer up to version 2.0.0. Affected behavior allows execution of malicious scripts when content is v...
CVE-2026-34033
CVE-2026-34033 affects Apache Answer up to version 2.0.0. The issue is an HTML content injection (basic XSS) where user-supplied content included in notification emails was not properly escaped, allowing authenticated users to inject arbitrary HTML into emails sent to other users. The CVSS vector...
CVE-2026-24735
CVE-2026-24735 affects Apache Answer up to version 1.7.1. An unauthenticated API endpoint exposes the full revision history for deleted content, enabling unauthorized retrieval of restricted or sensitive information. Remediation: upgrade to version 2.0.0 (or later) where the issue is fixed. The a...